Marozka
Marozka is a ransomware that runs on Microsoft Windows. It was discovered by GrujaRS. It is part of the HiddenTear family. It is aimed at English-speaking users. Payload Transmission Marozka is distributed as a fake PDF file. It can be spreaded by hacking through an insecure RDP configuration, using email spam and malicious attachments, deceptive downloads, botnets, exploits, web injects, fake updates, repackaged and infected installers. Infection It encrypts data using AES cryptography and creates a ransom message within a text file called "HOW TO DECRYPT FILES.txt", which can be found in each folder that contains encrypted files. It also adds the ".Marozka" extension to encrypted files. For example, "1.jpg" is reamed to "1.jpg.Marozka". Additionally, Marozka changes the desktop wallpaper. The "HOW TO DECRYPT FILES.txt" text file states that the cyber criminals who developed Marozka are a team of English and Russian hackers. Their ransomware has encrypted all files and they can only be decrypted (unlocked) using their decryption tool and password/key. They mention that even reinstalling the operating system will not help and the only way to obtain a decryption tool is to purchase one for $100. This can supposedly be done by contacting these cyber criminals via the silena.berillo@gmail.com or hto2018@yandex.ru email addresses, or via their website (proverka.host). In any case, victims are informed that they have 24 hours to pay - after this time, all decrypted files will be deleted. To contact Marozka's developers via their website, users are required to provide their details such as name, email address, and computer name. Payment must be made by transferring cryptocurrency to a Bitcoin wallet address provided. They promise to send a decryption tool and key following payment. Additionally, they state that any attempts to decrypt files using other tools will result in permanent data loss. Text presented in Marozka ransomware text file ("HOW TO DECRYPT FILES.txt"): All your information (documents, databases, backups and other files) this computer was encrypted using the most cryptographic algorithms. All encrypted files are formatted .Marozka. This form files '.Marozka' is a joint development ENGLISH and RUSSIAN Hackers. You can only recover files using a decryptor and password, which, in turn, only we know. It is impossible to pick it up. Reinstalling the OS will not change anything. No system administrator in the world can solve this problem without knowing the password In no case do not modify the files! But if you want, then make a backup. Drop us an email at the address silena.berillo@gmail.com if within 12 hours you do not respond to hto2018@yandex.ru for further insertions You have 24 hours left. If they are not decrypted then after 24 hours they will be removed!!! You can also decrypt files automatically on our website https://proverka.host Text presented in Marozka's website: MAROZKA-DECRYPTOR CAREFULLY READ THE INSTRUCTIONS BELOW. DECRYPTION COST IS $ 100. YOU NEED TO HURRY LET ME REMIND YOU HAVE 24 HOURS CHOOSE ONE OF THE PROPOSED DECRYPTION METHODS 1.WRITE TO US 2.OR MAKE THE PAYMENT YOURSELF. INSTRUCTIONS BELOW. Enter your name Enter your E-mail Computer name (C :\\'User'\) WRITE TO US MAROZKA PROGRAM WAS DEVELOPED JOINTLY BY RUSSIAN AND AMERICAN DEVELOPERS Only our program can decrypt files. Any independent attempts to decrypt files will delete them once and for all. PAYMENT Make a payment of 100 US dollars. On the bitcoin wallet 1NKtjyNax9cQuMYxLXfHWEKwRHac6gTeHc Then you will be given a program and a key. PAYMENT PROCEDURE When paying in the form of a comment, enter your email address (email), after successful payment the program and password will be sent to decrypt. FILE DECRYPTION Specify the received password after payment and press the button to decrypt the files. Then all files are decrypted. You can also buy the source code of the programs by writing to us. Category:Ransomware Category:Win32 ransomware Category:Win32 trojan Category:Win32 Category:Microsoft Windows Category:Trojan Category:Assembly